ML Security PapersTowards Strong Certified Defense with Universal Asymmetric Randomization
Hanbin Hong 1, Ashish Kundu 2, Ali Payani 2, Binghui Wang 3, Yuan Hong 1
Published on arXiv
2510.19977
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
Achieves up to 182.6% improvement in certified accuracy at large certified radii over state-of-the-art isotropic randomized smoothing methods on MNIST, CIFAR-10, and ImageNet.
UCAN (Universal Certified robustness with Anisotropic Noise)
Novel technique introduced
Randomized smoothing has become essential for achieving certified adversarial robustness in machine learning models. However, current methods primarily use isotropic noise distributions that are uniform across all data dimensions, such as image pixels, limiting the effectiveness of robustness certification by ignoring the heterogeneity of inputs and data dimensions. To address this limitation, we propose UCAN: a novel technique that \underline{U}niversally \underline{C}ertifies adversarial robustness with \underline{A}nisotropic \underline{N}oise. UCAN is designed to enhance any existing randomized smoothing method, transforming it from symmetric (isotropic) to asymmetric (anisotropic) noise distributions, thereby offering a more tailored defense against adversarial attacks. Our theoretical framework is versatile, supporting a wide array of noise distributions for certified robustness in different $\ell_p$-norms and applicable to any arbitrary classifier by guaranteeing the classifier's prediction over perturbed inputs with provable robustness bounds through tailored noise injection. Additionally, we develop a novel framework equipped with three exemplary noise parameter generators (NPGs) to optimally fine-tune the anisotropic noise parameters for different data dimensions, allowing for pursuing different levels of robustness enhancements in practice.Empirical evaluations underscore the significant leap in UCAN's performance over existing state-of-the-art methods, demonstrating up to $182.6\%$ improvement in certified accuracy at large certified radii on MNIST, CIFAR10, and ImageNet datasets.\footnote{Code is anonymously available at \href{https://github.com/youbin2014/UCAN/}{https://github.com/youbin2014/UCAN/}}
Key Contributions
- UCAN: a general framework that converts any isotropic randomized smoothing method into anisotropic (per-dimension) noise injection, providing stronger certified robustness guarantees
- Theoretical framework supporting multiple noise distributions and ℓp-norm certifications applicable to arbitrary classifiers with provable robustness bounds
- Three noise parameter generators (NPGs) that optimize per-dimension noise parameters to trade off robustness and accuracy at different certification radii
🛡️ Threat Analysis
Directly defends against adversarial input manipulation attacks by providing provable certified robustness bounds via anisotropic randomized smoothing across ℓp-norms; the primary contribution is a stronger certified defense against adversarial examples at inference time.